Skillv1.0.3

ClawScan security

sticker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 3:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s behavior (autonomously posting stickers and querying a third‑party image API) is coherent with its stated purpose, but the always:true privilege plus undeclared network calls to an unfamiliar domain and missing binary/permission declarations make it concerning.
Guidance: This skill will autonomously decide to send a single sticker in many conversational contexts and does so by querying https://api.tangdouz.com with keywords derived from your chat. Concerns: (1) always:true forces the skill to be active in every session — it can proactively post stickers without explicit user consent; (2) the skill sends conversation-derived text as query parameters to a third‑party domain (possible data leakage) but the manifest does not disclose or justify that network usage; (3) the SKILL.md uses curl but the required binary/network permission is not declared. Before installing, consider asking the publisher to: remove always:true or require user opt-in, declare the external API domain and its privacy policy, and add an explicit permission/opt-in for outbound network queries (or use an approved image provider). If you handle sensitive information, avoid enabling this skill or require it to be user-invocable only (not forced/autonomous).

Review Dimensions

Purpose & Capability: noteThe name/description (auto mood-based stickers) aligns with instructions to pick keywords and fetch images. However, the SKILL.md uses curl to call an external API (api.tangdouz.com) but the skill metadata does not declare that network calls or curl are required. The omission of any mention of the external API in the manifest is a mismatch.
Instruction Scope: concernRuntime instructions require inspecting whole conversation to derive keywords and then issuing HTTP requests with those keywords to a third‑party server. That means user messages (potentially sensitive) are sent as query parameters to api.tangdouz.com; there is no privacy notice or limitation. The skill also instructs the agent to proactively send stickers whenever it judges the context appropriate ("默认发 / 自主发"), which may cause unsolicited messages.
Install Mechanism: okThere is no install spec and no code to write to disk, which is lower risk. However, the SKILL.md relies on an external HTTP endpoint (not a well‑known release host) to fetch images at runtime; while not an install-time risk, it is a runtime network dependency that was not surfaced in metadata.
Credentials: okThe skill declares no environment variables, credentials, or config paths — which is proportional to a simple sticker fetcher. But it nevertheless performs outbound HTTP requests with conversation-derived keywords, which effectively leaks context to a third party despite not requiring explicit credentials.
Persistence & Privilege: concernalways: true means the skill is force-loaded for every agent session; combined with its autonomous 'default send' behavior and third‑party API calls, this increases the blast radius (unwanted/sticky behavior and silent data exfiltration). There is no justification in the manifest for always:true.